Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

New Field REX HELP (API)

havatz
Explorer
‎09-28-2020 01:01 AM

Hi all

I want to create a new AWS monitoring alert.

For the first step I checked the AWS fields and I saw that I need to parse the "principalId" field from the "_raw". (I want to create the rule based on principalID"

Part of the raw:

{\"type\": \"Root\", \"principalId\": \"444444444444\", \"arn\"

havatz_2-1601280189138.png

 

Im running this query:

"search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-1d | rex field=_raw principalId\W\W:\s\W\W(?P<principalId>\d*)"

and getting results but without the "prinicpialId" new field.

havatz_0-1601279883568.png

What am I missing in the query?

Thanks!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 01:54 AM

Have you looked at the data in the splunk GUI? Are there really backslashes before the double quotes in the data?

Try this:

"search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-1d | rex field=_raw principalId\\W+:\\s\\W+(?P<principalId>\\d*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 01:29 AM

this it the raw data:

 

"_raw": "{\"eventVersion\": \"1.05\", \"userIdentity\": {\"type\": \"Root\", \"principalId\": \"11111111111\", \"arn\": \"arn:aws:iam::11111111111:root\", \"accountId\": \"11111111111\", \"accessKeyId\": \"\"}, \"eventTime\": \"2020-09-25T17:49:45Z\", \"eventSource\": \"signin.amazonaws.com\", \"eventName\": \"ConsoleLogin\", \"awsRegion\": \"us-east-1\", \"sourceIPAddress\": \"xxxxxxxxx\", \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 01:17 AM

Your second screenshot doesn't have any \ before the " although your test data (first screenshot) does. What is actually in your data? You could try

search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-1d | rex field=_raw principalId\W+:\s\W+(?P<principalId>\d*)
0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 01:26 AM

Getting this error:

havatz_0-1601281598998.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 01:34 AM

You are using curl and ReST API? Try escaping the backslashes

"search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-1d | rex field=_raw principalId\\W\\W:\\s\\W\\W(?P<principalId>\\d*)"

 

0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 01:48 AM

The query should enter retro active on old events also? or should I wait for new ones?

0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 01:44 AM

Yes.. its API .

This query  working great but im still getting the "principalId" empty

havatz_0-1601282525960.png

havatz_1-1601282651943.png

 

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 01:54 AM

Have you looked at the data in the splunk GUI? Are there really backslashes before the double quotes in the data?

Try this:

"search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-1d | rex field=_raw principalId\\W+:\\s\\W+(?P<principalId>\\d*)"
0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 02:30 AM

You're right! My mistake
It working!! Thank you!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 01:15 AM

Hi @havatz,

Are you sure that in your logs there's the back slash before quotes?

if not, please, try this regex:

| rex "\"principalId\":\s+\"(?<principalId>[^\"]+)\""

that you can test at https://regex101.com/r/iS9NFl/1

Otherwise, please try this regex:

| rex "principalId\\\":\s+\\\"(?<principalId>[^\"]+)"

that you can test at https://regex101.com/r/iS9NFl/2

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

havatz
Explorer
‎09-28-2020 01:33 AM

curl -k -u "user pass" https://localhost:11111/services/search/jobs?output_mode=json -X POST -d search="search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-30d | rex field=_raw "principalId\\\":\s+\\\"(?<principalId>[^\"]+)"


{"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '^'. Error at position '129' of search query 'search index=aws userIdentity.type=Root eventName=...{snipped} {errorcontext = ncipalId>[^\"] )}'.","help":""}]}

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...